b'     Statement of Gregory H. Friedman\n\n             Inspector General\n\n         U.S. Department of Energy\n\n\n                 Before the\n\nSubcommittee on Oversight and Investigations\n\n    Committee on Energy and Commerce\n\n       U.S. House of Representatives\n\n\n\n\n                                 FOR RELEASE ON DELIVERY\n                                                     10:00 AM\n                                      Tuesday, January 30, 2007\n\x0cMr. Chairman and members of the Subcommittee, I am pleased to be here at your request to\n\ntestify on the Office of Inspector General\xe2\x80\x99s review of the recent compromise of classified data\n\nat the Department of Energy\xe2\x80\x99s Los Alamos National Laboratory.\n\n\n\nBACKGROUND\n\nThe Los Alamos National Laboratory, now operated by Los Alamos National Security, LLC,\n\nfor the Department\xe2\x80\x99s National Nuclear Security Administration (NNSA), has been at the\n\nforefront of our country\xe2\x80\x99s national security-related research and development enterprise for\n\nover 60 years. The physical and intellectual data that resides at the Laboratory reflects its\n\ncritically important missions, which range from ensuring the safety and reliability of our\n\nnuclear stockpile and preventing the proliferation of weapons of mass destruction to\n\nprotecting the Nation from terrorist attacks. To support these missions, the Laboratory\n\nmanages highly sensitive classified materials and information. Safeguarding such classified\n\ninformation \xe2\x80\x93 housed at over 2,700 separate classified computing operations, including 139\n\nvault-type rooms \xe2\x80\x93 requires that the Laboratory establish and maintain strong security\n\ncontrols.\n\n\n\nOver the years, there have been a number of highly-publicized security incidents that have\n\ncast doubt on the Los Alamos National Laboratory\xe2\x80\x99s ability to protect classified national\n\nsecurity assets. In 1999, a Los Alamos scientist was accused of and subsequently pled guilty\n\nto mishandling classified information by downloading nuclear secrets and removing them\n\nfrom the Laboratory. In the following year, largely in response to security concerns at Los\n\nAlamos, the NNSA was established as a semi-autonomous agency. In 2002, two computer\n\n\n                                                1\n\x0chard drives containing classified data were thought to be missing from a secure area within\n\nthe Laboratory, but were later found. In 2004, after an inventory indicated that two computer\n\ndisks containing classified information were missing, the Director of the Laboratory ordered a\n\nlengthy stand-down to address and resolve security concerns. That stand-down, according to\n\nthe U.S. Government Accountability Office, delayed important national security work at a\n\nsubstantial cost to the taxpayer.\n\n\n\nBecause of the need to ensure that the Nation\xe2\x80\x99s vital nuclear material and information are\n\nadequately protected, the Office of Inspector General has performed numerous audits,\n\ninspections, and investigations of physical and cyber security-related issues at the Laboratory.\n\nOur reviews have covered diverse areas such as the implementation of the design basis threat,\n\nsafeguards over classified material and property, and the security of information systems. I\n\nhave been asked to testify before this Subcommittee and other Congressional panels on\n\nseveral occasions regarding a series of management and security issues at Los Alamos.\n\n\n\nAs has been well-publicized, on October 17, 2006, the Los Alamos County Police Department\n\nresponded to a call at the home of a former employee of a Laboratory subcontractor. During a\n\nsubsequent search of the residence, police seized a computer flash drive that contained\n\nelectronic images of Los Alamos classified documents. In addition, hard copies of over 200\n\nclassified documents belonging to the Laboratory were also found in the residence.\n\nLaboratory officials determined that the seized classified information was derived from an\n\nongoing scanning and archiving project. This scanning project was being performed by a\n\nsubcontractor to the Laboratory. A criminal investigation regarding the seized material was\n\n\n\n\n                                               2\n\x0cinitiated by the Federal Bureau of Investigation. Shortly after the investigation began, the\n\nSecretary of Energy requested that the Office of Inspector General perform a separate review\n\nof the possible compromise of classified information at the Los Alamos National Laboratory.\n\nThe Secretary also asked that we evaluate certain aspects of the Department\xe2\x80\x99s security\n\nclearance process.\n\n\n\nOFFICE OF INSPECTOR GENERAL REVIEW\n\n\n\nThe Office of Inspector General promptly began a special inquiry that focused on what the\n\nDepartment and its contractors did or did not do to protect classified information and the steps\n\nthat were taken to ensure that only properly qualified individuals had access to such\n\ninformation. As part of that effort, we interviewed over 80 Departmental, Laboratory, and\n\nsubcontractor personnel; reviewed relevant security guidance and procedures; and, examined\n\nnumerous other relevant documents. Our findings related to the security clearance process\n\nshould be discussed in closed session.\n\n\n\nOur special inquiry revealed that despite the expenditure of millions of dollars by the NNSA\n\nto upgrade various components of the Laboratory\xe2\x80\x99s security apparatus, the security\n\nenvironment at the Laboratory was inadequate.\n\n\n\n\n                                               3\n\x0cIn particular we found that:\n\n   \xe2\x80\xa2   Certain computer ports, which could have been used to inappropriately migrate\n\n       information from classified systems to unclassified devices and computers, had not\n\n       been disabled;\n\n   \xe2\x80\xa2   Classified computer racks were not locked;\n\n   \xe2\x80\xa2   Certain individuals were inappropriately granted access to classified computers and\n\n       equipment to which they were not entitled;\n\n   \xe2\x80\xa2   Computers and peripherals (scanners and a printer) that could have been used to\n\n       compromise network security were introduced into a classified computing\n\n       environment without approval; and,\n\n   \xe2\x80\xa2   Critical security functions had not been adequately separated, essentially permitting\n\n       system administrators to supervise themselves and override controls.\n\n\n\nIn many cases, Laboratory management and staff had not developed policies necessary to\n\nprotect classified information, had not enforced existing safeguards, or provided the attention\n\nor emphasis necessary to ensure protective measures were adequate. Some of the security\n\npolicies were conflicting or applied inconsistently. We also found that Laboratory and\n\nFederal officials were not as aggressive as they should have been in conducting security\n\nreviews and physical inspections. In short, our findings raised serious concerns about the\n\nLaboratory\xe2\x80\x99s ability to protect both classified and sensitive information systems.\n\n\n\nAny diversion of classified material creates a potentially serious national security situation.\n\nFor this event in particular, the full extent of damage or dispersion of the classified material\n\n\n\n                                                4\n\x0cmay never be fully known. The criminal investigation into this matter is ongoing and may\n\nyet reveal additional security problems. Our findings, however, which are discussed in more\n\ndetail in the following paragraphs, underscore continuing problems with the Laboratory\xe2\x80\x99s\n\noverall management and security posture.\n\n\n\nOpen Computer Ports\n\nFollowing the security incident in 1999, the then Secretary of Energy ordered the Los Alamos\n\nNational Laboratory and other similarly situated facilities to implement controls and\n\nprotections to make it physically impossible to migrate classified information to unclassified\n\nsystems or devices. Although Los Alamos had taken action to disable some devices, our\n\nreview found that, in a significant number of instances, the Laboratory failed to deactivate\n\nunneeded open computer ports such as USB and \xe2\x80\x9cfirewire\xe2\x80\x9d ports that could have been used to\n\ncircumvent security controls.\n\n\n\nThis weakness could have permitted the transfer of classified information to unclassified\n\nsystems or easily concealable devices such as flash drives and portable hard drives. Open and\n\nunsecured ports also could have ultimately been used to transfer classified information to the\n\nLaboratory\xe2\x80\x99s unclassified network and the Internet. As evidenced by a series of e-mail\n\nexchanges in the March/April 2006 timeframe, officials in the Laboratory\xe2\x80\x99s Chief Information\n\nOfficer\xe2\x80\x99s organization recognized that it would be a simple matter to exploit this weakness by\n\nplugging a USB or firewire recording device into an open port and copying information to it.\n\nHowever, despite this recognition, a Laboratory-wide solution was never developed or\n\ndeployed.\n\n\n\n\n                                               5\n\x0cUnlocked Computer Racks\n\nWe also noted that Laboratory system administrators failed to take advantage of readily\n\navailable security measures that, in this case, could have helped prevent the unauthorized\n\nremoval of the electronic classified material found on the seized flash drive. As part of an\n\ninitiative to secure classified removable electronic media (CREM) following the 2002 security\n\nevent, Los Alamos acquired locking mechanisms that were to be used to secure and prevent\n\naccess to most rack-mounted classified computer systems. Following the installation of the\n\nlocks, Laboratory management determined that if a computer system did not contain CREM\n\nand it was located in a vault-type room, there was no need to lock the racks. As a\n\nconsequence, racks housing classified computers in the vault we reviewed were never\n\nsecured. Based on our inquiries, a Laboratory management official conceded that using the\n\navailable locks would have denied access to the enabled USB ports and could have prevented\n\nthe download of the diverted classified information.\n\n\n\nInappropriate Access Granted\n\nIn addition, despite existing control measures and specific guidance by the NNSA to the\n\ncontrary, system administrators at the Laboratory inappropriately granted certain individuals\n\naccess to classified computer equipment to which they were not entitled. Specifically,\n\nindividuals were given authority to physically access rack-mounted classified computer\n\nsystems \xe2\x80\x93 access that could have permitted them to exploit open USB and firewire ports.\n\nLaboratory officials also allowed a person that had no need to print documents to use a high-\n\nspeed classified network printer capable of producing double-sided documents identical to the\n\n\n\n                                               6\n\x0cformat of the hard copy classified documents that had been seized by law enforcement\n\nofficials. A senior Laboratory security official confirmed that granting unneeded access to\n\nusers was contrary to policy and that such action endangered security.\n\n\n\nIntroduction of Unapproved Devices\n\nTo ensure that classified systems are secure to operate, computers and peripheral devices\n\nshould be evaluated for risk and included in an approved systems security plan prior to being\n\nintroduced into a classified computing environment. However, program, security, and system\n\nadministration officials responsible for the vault we reviewed routinely ignored these controls.\n\nOur review disclosed that officials permitted the introduction of several computers and\n\nperipheral devices (scanners and a printer) into a classified computing location even though\n\nthese devices were not included in the accredited security plan. Thus, Laboratory and Federal\n\nofficials were not able to evaluate the security implications of their inclusion in the vault in\n\nquestion. Potentially, the introduction of these devices could have compromised security.\n\n\n\nIncompatible Security Functions\n\nAdditionally, Los Alamos did not adequately separate critical security duties. According to\n\nNNSA policy, \xe2\x80\x9cmeasures must be implemented to ensure the management, control, and\n\nseparation of security critical functions.\xe2\x80\x9d However, Laboratory officials frequently did not\n\nprovide for such separation, and a single individual was tasked with both system\n\nadministration and security officer duties \xe2\x80\x93 essentially supervising and approving his or her\n\nown actions. As a result, the system administrator was able to provide access to classified\n\ncomputers and peripherals to unauthorized individuals, thereby overriding classified\n\n\n\n                                                 7\n\x0cprotection safeguards. Los Alamos officials noted that the same issue existed in classified\n\ncomputing venues across the Laboratory.\n\n\n\nADDITIONAL FACTORS CONTRIBUTING TO DIVERSION\n\n\n\nThe security weaknesses we discovered resulted from control and management breakdowns at\n\nboth the contractor and Federal level. While the Department, the NNSA, and Los Alamos had\n\ndeployed some security controls to protect classified information, we observed problems with\n\npolicy development and implementation. Had the Department and the NNSA been more\n\naggressive in its contract administration and review activities, it may have been able to\n\nprevent, detect, or correct in a timely manner the problems or factors that contributed to the\n\ndiversion of classified material.\n\n\n\nWeaknesses in Security Policies\n\nOur review, for example, disclosed a particularly significant instance where classified\n\ncomputer policies had not been developed or properly formalized. In 1999, the then Secretary\n\nof Energy directed that safeguards be developed and implemented to prevent the migration of\n\nclassified data to unclassified systems to protect against insider threats. That direction\n\nspecifically required that organizations \xe2\x80\x9cestablish requirements that place stringent controls\n\non computers and work stations, including controls on\xe2\x80\xa6ports that could be used to download\n\nfiles.\xe2\x80\x9d The requirement was never included in the Department\xe2\x80\x99s cyber security policy nor was\n\nit completely implemented by the Laboratory.\n\n\n\n\n                                                8\n\x0cFurthermore, our inquiry revealed that conflicting direction and a lack of understanding\n\nregarding the introduction of equipment into classified computing environments contributed\n\nto the weaknesses we found. For example, Laboratory guidance required that security plans\n\nbe updated and systems reaccredited when security configurations changed. Certain officials,\n\nhowever, incorrectly instructed security officers that there was no need to comply with that\n\ndirection for selected devices. In other instances, officials inappropriately believed that the\n\nneed to update security plans and obtain reaccreditation of classified systems was a matter\n\nsolely within their discretion. They held this mistaken belief even though the Laboratory had\n\npublished specific guidance regarding events that triggered update requirements. During our\n\nreview, we identified a number of changes in security configurations for the vault we\n\nevaluated that should have triggered the requirement to update the system security plan. Yet,\n\nsuch action had not been taken.\n\n\n\nPolicy regarding the acquisition of computer support services for classified computing\n\nenvironments at the Laboratory was also inconsistent. In particular, as it applies to the matter\n\nunder review, procurement policy permitted subcontractors to furnish unaccredited items such\n\nas scanners and software for archiving projects. Such practices, however, were contrary to the\n\nsystem\xe2\x80\x99s security plan and to cyber security guidance issued by the NNSA. The NNSA\n\nguidance specifically prohibited the connection of non-government owned equipment to\n\nclassified networks.\n\n\n\n\n                                                9\n\x0cInsufficient Management Review and Overdue Inspection Activities\n\nThe failure of Laboratory managers and Federal security officials to perform verification\n\nactivities may also have adversely affected the classified security climate at the Laboratory\n\nand contributed to the recent removal of classified material. Laboratory security officials\n\nindicated that they did not visit vaults or computing facilities to determine whether controls\n\ndescribed in security plans were actually in place. Federal officials at the Los Alamos Site\n\nOffice also told us that they did not conduct physical inspections of the Laboratory\xe2\x80\x99s\n\nclassified information systems. Accrediting officials at the Site Office explained that they\n\nplaced a great deal of emphasis on reviewing security plans and accrediting systems, but that\n\nthey had only 1.5 staff years to dedicate to classified security. They asserted that as a\n\nconsequence they were unable to perform physical inspection of systems to validate that the\n\nLaboratory\xe2\x80\x99s plans were accurate and were being enforced.\n\n\n\nDelays in completing classified information system inspections may also have impacted the\n\ndetection of the security weaknesses we identified. NNSA officials informed us that they\n\nrelied almost exclusively on the Office of Independent Oversight, Office of Health, Safety and\n\nSecurity to conduct detailed inspections of Los Alamos\xe2\x80\x99 classified information systems.\n\nThese inspections are normally completed once every two years. However, the inspection at\n\nLos Alamos had not been performed for about four years for a variety of reasons including the\n\n2004 security stand-down at the Laboratory. The Office of Independent Oversight had begun\n\na previously scheduled review of Los Alamos\xe2\x80\x99 classified information systems at about the\n\nsame time the diversion of classified information was discovered.\n\n\n\n\n                                               10\n\x0cNEEDED ACTIONS\n\n\n\nAfter this incident was discovered, management officials at various levels of the Department\n\nand at the Laboratory launched several efforts to identify and correct control deficiencies that\n\ncaused or contributed to the unauthorized removal of classified information. In particular, the\n\nSecretary established two task forces to address our findings and the Deputy Secretary\n\ndirected an immediate review of policies and practices related to computer ports at each of the\n\nDepartment\xe2\x80\x99s facilities.\n\nAs a result of our review, we provided the Department a number of recommendations\n\ndesigned to assist it in its efforts to correct identified deficiencies. For example, we\n\nrecommended that the Department take immediate action to disable unneeded computer ports,\n\nsecure classified computer racks, segregate critical security functions, and limit classified\n\ncomputer access and privileges to those who specifically require it.\n\n\n\nIn its letter of invitation, the Subcommittee requested that the Office of Inspector General\n\nidentify broader actions that could improve the overall security climate at the Los Alamos\n\nNational Laboratory and the Department at large. Based on the results of this special inquiry\n\nand other recent IG reviews and investigations, we concluded that the Department and the\n\nNNSA should:\n\n\n\n   1. Establish an up-to-date, unified, risk-based security policy that flows throughout all\n\n       elements of the Department. It is essential that this policy be applied consistently and\n\n\n\n\n                                                11\n\x0c       that all aspects of security -- physical, cyber, and personnel -- be integrated to ensure a\n\n       seamless system.\n\n   2. Aggressively hold individuals and institutions -- at the Federal and contractor levels --\n\n       accountable for failure to follow established security policies. Penalties should\n\n       include meaningful reductions in contractor fees; personnel reassignments and\n\n       terminations; civil penalties; program redirection; and, ultimately, should need be,\n\n       contract termination.\n\n\n\nOne final note, one of the most disturbing aspects of this event is the fact that it was not\n\ndiscovered by the Laboratory but by local police during an off-site investigation unrelated to\n\nLaboratory activities. Without this inadvertent discovery, the diversion of classified material\n\nmay never have been disclosed. In that light, Los Alamos and the Department need to\n\nstrengthen efforts to proactively detect and prevent security breakdowns. This might include,\n\nfor instance, improving the level of monitoring of classified computer/information activity by\n\nthe use of specialized software, activity logging, and by initiating a program of unannounced\n\nsecurity checks beyond routine inspections. Admittedly, there is a cost involved with such\n\nundertakings, but it is a cost that may be necessary given the pattern of security issues at the\n\nLaboratory.\n\n\n\nMr. Chairman, this concludes my statement and I would be pleased to answer any questions\n\nyou may have.\n\n\n\n\n                                                12\n\x0c'